https://github.com/referefref/modpot

Modular web-application honeypot platform built using go and gin
https://github.com/referefref/modpot

cti cyber-threat-intelligence golang honeypot

Last synced: 6 days ago
JSON representation

Modular web-application honeypot platform built using go and gin

• Host: GitHub
• URL: https://github.com/referefref/modpot
• Owner: referefref
• License: apache-2.0
• Created: 2024-02-15T16:15:40.000Z (9 months ago)
• Default Branch: main
• Last Pushed: 2024-05-08T03:19:45.000Z (6 months ago)
• Last Synced: 2024-06-09T02:33:47.685Z (5 months ago)
• Topics: cti, cyber-threat-intelligence, golang, honeypot
• Language: HTML
• Homepage: https://jamesbrine.com.au
• Size: 320 KB
• Stars: 50
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

• awesome-honeypots - modpot - Modpot is a modular web application honeypot framework and management application written in Golang and making use of gin framework. (Honeypots)
• fucking-awesome-honeypots - modpot - Modpot is a modular web application honeypot framework and management application written in Golang and making use of gin framework. (Honeypots)

README

        
[![Active Development](https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)

[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/dwyl/esta/issues)

# modpot v0.3.11 (Not for workgroups)

![Go](https://img.shields.io/badge/go-%2300ADD8.svg?style=for-the-badge&logo=go&logoColor=white)![HTML5](https://img.shields.io/badge/html5-%23E34F26.svg?style=for-the-badge&logo=html5&logoColor=white)![JavaScript](https://img.shields.io/badge/javascript-%23323330.svg?style=for-the-badge&logo=javascript&logoColor=%23F7DF1E)

![modpot-wide](https://github.com/referefref/modpot/assets/56499429/409d59b0-9e14-45f7-abdc-abe721e0e678)

![image](https://github.com/referefref/modpot/assets/56499429/f13d4e39-becd-48da-aee1-29e21b921ce4)

modpot is a modular web application honeypot framework written in Golang and making use of gin framework.

It is the antithesis to [***honeydet***](https://github.com/referefref/honeydet) in many ways and allows the user to deploy simple html/js honeypots that mimic web applications in order to detect requests and form entries that are related to attacks. Responders offer a modular capacity for automation and logging pipelines and are not limited by programming language.

modpot is best utilised alongside [***honeypage***](https://github.com/referefref/honeypage) a tool that creates flattened single html file versions of web applications, which makes them portable and easy to use with modpot.

## Responders

![image](https://github.com/referefref/modpot/assets/56499429/c0f09791-3ebc-4159-b47e-a1669485f29d)

Responders allow for simple triggering of automation, logging, or connection to SOC platforms. 

The parameters that can be passed to responders are ID, Application, Datetime, IP Source, Log Event.

Included are the following examples:

* Email

* iptables - time window blocking

* SMS (Using twilio)

* Slack - webhook

* Syslog

* Splunk - HEC endpoint

* Webhook-generic

## Example config

```yaml

honeypots:

  - id: 1

    name: "ExampleHoneypot1"

    cve: "CVE-2021-XXXX"

    application: "FakeWebApp1"

    port: 8081

    enabled: true

    template_html_file: "index1.html"

    detection_endpoint: "/fakeapp"

    request_regex: ".*attack.*"

    redirect_url: "https://jamesbrine.com.au/"

    date_created: "2022-01-01"

    date_updated: "2022-01-02"

    responders:

      - engine: "/usr/bin/bash"

        script: "email.sh"

        parameters: ["honeypots.id", "honeypots.application", "honeypot_logs.datetime", "honeypot_logs.ip_source", "honeypot_logs.log_event"]

      - engine: python3

        script: sms.py

        parameters: ["honeypots.id", "honeypots.application", "honeypot_logs.datetime", "honeypot_logs.ip_source", "honeypot_logs.log_event"]

      - engine: "/usr/bin/bash"

        script: "iptables_block.sh"

        parameters: ["honeypot_logs.ip_source"]

  - id: 2

    name: "ExampleHoneypot2"

    cve: "CVE-2022-YYYY"

    application: "FakeWebApp2"

    port: 8082

    enabled: true

    template_html_file: "index2.html"

    detection_endpoint: "/anotherapp"

    request_regex: "^/admin"

    redirect_url: "test.html"

    date_created: "2022-02-01"

    date_updated: "2022-02-02"

```

## Note

I am not responsible for your use/mis-use of this application. It was created for research purposes and is not intended nor do I or it's existence give implicit authority to use it as a phishing tool or for any other malicious purposes. Now, with the boring stuff out of the way.

## Todo

* Tidy up web frontend and features (search, filter, paginate etc.)

* Allow for multi-step configs for more complex honeypages

* Set up reporting/alerting on match and allow configuration through web frontend

* Build honeypage into modpot, allowing the page download process to take place through the "Add honeypot" button in the main interface